Hacker News new | past | comments | ask | show | jobs | submit login
OpenBSD on a Laptop (c0ffee.net)
266 points by perlgod 5 months ago | hide | past | web | favorite | 116 comments

This is probably the single coolest feature of OpenBSD: “Also, Chromium on OpenBSD recently got unveil support. If you run it with --enable-unveil, Chromium will be prevented (at the OS level) from accessing anything other than your ~/Downloads folder.”

FWIW: On Linux, I use firejail to do this.

But it's sweet to have natively:)

Does anyone know how this works with profiles / cache? Does this force something like incognito mode? Also does this mean you can't upload / select files outside of the Downloads folder?

I wonder if it means no webcam access as that would require access to /dev?

It does have access to .cache and .config as well

Does anybody know if FreeBSD has any form of sandboxing (e.g. seccomp) available for any of the available browsers?

FreeBSD has Capsicum, but from what I’ve heard the Chromium upstream has been reluctant to integrate the patches, so they rotted.

Which is kind of weird, given they (Google) have their own port of Capsicum to Linux. Oh well.

That's really too bad -- are there no other FBSD alternatives that are maintained?

Also -- I am going to get flamed for this -- but a GPL license would have forced Google to upstream their Capsicum changes wouldn't it -- whereas the BSD license doesn't have such a mandate.

The GPL doesn't force people to upstream their changes, although it often has that affect. The GPL only forces you to give source downstream. If your customers never share the source with anyone else (and your upstream is not one of your customers) then your upstream will never get the changes. A good example of this is the game TOME. It has downloadable content that is licensed under the GPL. You get the source code when you buy the DLC. I've never seen anyone distribute it, though (and it's highly frowned upon in the community). The author has a weird idea of the GPL, though, so I don't think he really understands that anyone is allowed to distribute that code.

But in practice people usually freely distribute GPL code, so it's impossible to stop your upstream from eventually getting it.

it would be somewhat counterproductive to introduce yet another sandboxing mechanism, just to work around a problem created by upstream - especially in case of mechanism as awesome as Capsicum :-)

Yes, the GPL license would force them to share their changes. Thing is, they wanted to upstream them anyway - AFAIK the problem is on the other (accepting) side.

Yes, i guess there is little doubt that capsicum is the superior (compared to seccomp) capabilities framework, but if it's not used outside of FreeBSD's base, (e.g. ssh, bhyve, etc.) then it is indeed a shame.

How does this compare to the sandboxing on macOS? Is this just at the file level, currently?

That's pretty cool. I wish Chromium supported this on Linux too. It seems more like a Chromium feature than an openbsd feature to me though? Linux programs installed via say flatpak have this on by default.

unveil(2) is an OpenBSD-specific feature, although you could accomplish something very similar with Linux and another sandboxing tool (or SELinux, but that might be overkill). I highly recommend you read the man page for unveil(2), it's very cool: https://man.openbsd.org/unveil

> unveil(2) is an OpenBSD-specific feature

Yes, I am aware. I thought it was pretty obvious that when I said "it's a chrome feature" I didn't mean "unveil(2)" but being able to restrict access to the filesystem. Which is possible with both linux and openbsd, of course. Alas, the downvoters seem to disagree.

I think if you run a snap package without privileges it is pretty sandboxed too.

Presumably only if AppArmor is available.

ahh i didn't know that -- thanks. I think it's enabled by default on ubuntu? or was it Fedora to run SELINUX by default?

Yes, Ubuntu has it enabled by default - so Snaps are first class citizens on Ubuntu. I think the upcoming release of Debian may also have AppArmor by default.

> many features that require toil to achieve on FreeBSD, such as suspend on lid close, working volume buttons, and decent battery life, work out of the box on OpenBSD

Suspend on lid close worked out of the box for me on FreeBSD, on a ThinkPad X240. (Well, almost out of the box — had to disable the TPM in the firmware setup, otherwise the TPM would prevent it from waking up.)

There's NO WAY battery life could be better on OpenBSD though. OpenBSD is not even tickless!!

I measured the power consumption of the SoC with Intel's pcm tools, it's ~1W when idling in GUI on FreeBSD. Does OpenBSD even have pcm.x? ;)

> There's NO WAY battery life could be better on OpenBSD though. OpenBSD is not even tickless!!

FWIW FreeBSD idled hot on my thinkpad x201 and x201s, where openbsd did not. I got more battery from a slim Linux than openBSD, but FreeBSD was by far the worst for battery life if you're comparing them.

Odd. Did you load the GPU driver? Start powerd?

Yes. I was looking at power optimisations at the time and those were suggestions. The issue was an idle load of 1.0 (nothing was noticably taking cpu), and when I say idle I mean there was nothing being drawn on screen and the browser was closed.

... but Sendmail was furiously trying to redeliver a massive mail queue of daily security run output messages? (-:

There is more than just your WWW browser and X applications running on a FreeBSD system.

Yes, of course, but maybe that's part of the problem.

FWIW, sendmail delivery to local mailboxes shouldn't need to retry, since it'll just dump in roots spool folder.

I trust in god alone, all others must bring benchmarks.

I like how most of the configuration in this setup is very similar to how I configured systems as far back as mid-nineties. Most applications have a simple single config file, and a single responsibility, true to Unix' philosophy. My window manager needs haven't really changed during all this time. Add a nice launcher that indexes your system and you have most of everything you will need.

> Full Disk Encryption with SoftRAID

It's worth noting that SoftRAID for encryption is mutually exclusive with SoftRAID for redundancy: "Note that "stacking" softraid modes (mirrored drives and encryption, for example) is not supported at this time."[1]

[1] https://www.openbsd.org/faq/faq14.html#softraid

One can certainly stack softraid volumes but I think the FAQ indicates you won't receive support if something goes wrong.

    # bioctl -c 1 -l /dev/sd1a,/dev/sd2a
    softraid0: RAID 1 volume attached as sd3
    # ...
    # bioctl -c C -l /dev/sd3a softraid0
    New passphrase:
    Re-type passphrase:
    softraid0: CRYPTO volume attached as sd4
I've personally used a setup like this since around OpenBSD 6.0.

Interesting, I didn't know it worked. A comment on another site by stsp@[1] suggested it doesn't.


It does work if you do it manually. The nested softraid will not be assembled at boot. Thus oficially unsupported.

On my desktop, I tried installing TrueOS and FreeBSD but kept having trouble with the install, then the applications and KDE, then the drivers, things were wonkie. Installed OpenBSD a couple of times and it all (mainly) just worked. Eventually just stayed with OpenBSD and have been very happy, especially with the excellent documentation, ease of installation and ease of use. I heard the FreeBSD devs don't use it on their personal comps as much as OpenBSD devs do, and what kind of sealed the deal for me. Thinking back, it was even easier than most Linux installs I've done.

OpenBSD is the friendliest OS I know of. That said... it seems to be picky at who it calls friend :)

This should probably also mention running syspatch.


Thanks for the feedback! I've added a tidbit about syspatch, and also warned users about the (somewhat unusual) state of updates for third-party packages on OpenBSD:


Cool, the biggest issue I’ve always had with FreeBSD is figuring out how to do routine updates when I’ve installed ports.

If you're building some ports with custom options, check out Synth: https://github.com/jrmarino/synth

It downloads binary packages when it can & builds ports in parallel while showing a very nice ncurses UI :)

Can second Synth. I always used it on laptops where a full poudriere setup would have been overkill.

Also it’s written in Ada!

Cool, as a Lisper I have to support niche languages :)

Ive tried a BSD laptop before, and my concerns always boil down to the same nonsense...can anyone offer some advice?:

- how do i read ext4/fat/etc usb sticks from coworkers. - is 3d or video support good with AMD? - soundcard and full disk encryption? what about EFI boot?

- reading ext4 is possible but hard (OpenBSD doesn’t support journaling filesystems); you’re better off with ext2 or FAT - video support with AMD GPUs is good, much better than NVIDIA - OpenBSD has a good sound stack that supports most audio systems - full disk encryption is easy to set up and mentioned in the article - UEFI and GPT work wonderfully on recent versions

What's the reason for missing journaling file systems? Lack of developers? Design choice for code simplification? Security reasons? Or something else?

I guess the same as with support for, say, NTFS, plus less incentive to work on it, since it’s less popular.

Similar with FreeBSD (use geli for encryption) and I believe ext4 read support works now.

Is there FS-wrapper support on OBSD?

NetBSD can read ext3/4 with a puffs filesystem driver... these days it can support ext4 extents natively as well, just not journalling.

Puffs is the NetBSD version of FUSE, and there is even a FUSE-to-puffs adapter so you can mount FUSE filesystems under NetBSD.

SO does OpenBSD with FUSE, and with NTFS you have ntfs-3g in ports.

Question. I find it exceedingly useful that Mac OS has readline keybindings enabled in most (all? I can't think of any counterexamples, including the Spotlight overlay) of its text fields: control-A is head of line, control-E is end of line, etc. I've been using control-N and control-P to move between lines while editing this comment; it's simply a text field in Firefox.

Is it possible to turn on this functionality in OpenBSD?

Why configure cwm to emulate i3 when you could just run i3?

Still, cool to see people running a BSD on a laptop, IIRC I ran NetBSD on my old Thinkpad in college.

It’s in the OpenBSD distribution, which presumably means it undergoes the same code auditing that the rest of OpenBSD does.

Yep, cwm is maintained by the OpenBSD devs and is part of base, so you don't have to download a package for it. If you want, though, i3 is only a quick dl away.

I used to have a kind of complicated cwm setup, but I got tired of that and just use XFCE now. It runs great.

Ditto, but with JWM instead of XFCE. Minimalist, a rational set of functionalities, click-to-focus-and-raise, plus a CDE-like colorscheme borrowed from AIX.

As for the file manager, I use noice, but I woudn't mind this ported to OpenBSD:


I can’t decide whether the old motif widgets are ugly as sin or not. But for whatever reason, I find the screenshot of that file manager to be salve for my soul. Probably just nostalgia.

I must say though that I’m just as glad Motif has mostly faded into history. It was... a challenging widget set to work with.

Now, I wish something like GNUStep had caught on. Maybe an independent BSD implementation.

On Motif, Irix' theme was really great: http://www.inventinginteractive.com/2010/12/07/desktop-uios-... I woudln't mind a GTK theme adaptation. A Motif one exists in Gnome Look, and it's more usable than you think.

I was just thinking of swapping my largely-unused ThinkPad over to OpenBSD yesterday, so this is extremely timely and useful :D

Great article. Been thinking of doing the same. Typo in the first paragraph under “Installation”:

“Grab a USB stick and download the the the amd64 disk image:”


How’s the battery life? OpenBSD is nice and nifty little UNIX experience, definitely geared towards users who know what they are doing/wanting.

About 7 hours on an oldish ThinkPad (T530) on a full charge:

  $ apm
  Battery state: high, 99% remaining, 430 minutes life estimate
  A/C adapter state: not connected
  Performance adjustment mode: auto (1200 MHz)

Wow that’s good! I want to get used x220 and new 9 cell battery. If I could pull of 7-9h battery life I would consider it a great success. Btw i would be using only StumpWM, Firefox and Emacs. For media consumption I got MacBooks.

On my x230 with the 44wh battery I get around 4-5 hrs with normal usage

While this is a nice setup in case of a ThinkPad, this doesn't really work out on practically anything else. I get that a lot of the FOSS, or somewhat more specifically, the hardcore users use a ThinkPad, but the rest of the world pretty much doesn't (at least no longer since Lenovo bought IBM's spun-off computer bits). None of this stuff works on the generic MS Surface or Apple Mac stuff you see in 99% of the use cases where people are capable of installing an OS at all.

As nice as mobile support in OpenBSD is, and as nice as this guide is, it's still super niche :(


Apple is 10.4% of the current market. Lenovo who you think nobody uses anymore is 20.8% twice as popular as apple. The surface is some fraction of the aprox 11% other.

Remember we all live in bubbles. I couldn't have pulled marketshare out of my rear either I had to look it up.

Perhaps those global numbers are relevant, I don't know. I don't see them (Lenovo) deployed that widely in my work environments (four companies, employed by one, servicing three others) I mostly see Apple, HP and Dell, and the odd Lenovo on-demand. Keep in mind that this is also in environments where docking stations are on the way out, which seems to correlate to certain device choices (I've read a few blogs about that, not sure which ones as it was a few months ago).

Maybe the market share assumes consumer and low-end models?

I couldn't find a breakdown of purely business vs consumer. I would be interested in seeing one if you were aware of one.

Actually, OpenBSD does work on the Microsoft Surface Go, thanks to Joshua Stein's driver work [0]. You're right that many systems will require a more in-depth setup than the ThinkPad in the article (Broadcom wireless and NVIDIA graphics are a challenge in particular), but many laptops work much better than you would expect.

I've had good luck getting it to boot on older Mac hardware; newer systems (especially with the T2 chip) may be harder.

[0]: https://jcs.org/2018/08/31/surface_go

Yeah, but no wifi (no bluetooth and no cameras either).

I know some people consider lack of Bluetooth support a show-stopper, and maybe for some of them it actually is, and is actually worth the downsides of Bluetooth, but I think the practical effect is actually much smaller than one might think. While some needs are only filled by specific products, and those products only come with Bluetooth support for connectivity, most needs people imagine when bringing up lack of native Bluetooth support are easily supported (perhaps even better) with other connectivity options, and Bluetooth really does come with substantial downsides even on platforms that support it.

I, for one, have yet to encounter a "need" for Bluetooth that is not better filled by something other than system-native Bluetooth support, and am happy to avoid the negatives (e.g. security issues) by avoiding Bluetooth-only products. The one case in my life where the only option is Bluetooth is something that that is designed to connect to my Android smartphone, which is not (yet?) ready for OpenBSD anyway.

UVC cameras and USB Wireless cards work.

The cameras and WiFi are probably no UVC or USB in the case mentioned.

Your specific examples are special cases. The Surface is essentially a “Windows 10 machine”, and while Apple permits installation of Windows on Macs, other operating systems are specifically not supported. (And macOS is already BSD-esque anyway.)

These instructions will work fine on any normal, generic, PC laptop.

Unless you're on older unsupported macbooks, I'm not sure I'd run something that wasn't macOS unless under a VM. That's just me. Although, I don't like a lot of the direction, or lack of with macOS.

I'll probably put a new system together around mid next year (leaning Ryzen 2 near release). Will decide on Hackintosh, Linux or BSD at that time. Most likely hackintosh, but who knows. Linux (Elementary and Ubuntu) are finally around where I would want it for a primary desktop.

I was merely stating the general work-machine distribution in my direct and indirect environment. Perhaps they are special cases from the OS standpoint, but from the people point of view, those are the devices they have.

Every time someone posts something about OpenBSD, there is someone who will post how hardware support is a problem.

Maybe, not everything is supported, but on ThinkPad, almost all (if not all) hardware is supported, yes (lots of developers use these machines). However, I've run OpenBSD on very cheap laptops also, with the only thing unsupported usually being the wifi. This is easily solvable by buying a cheap/supported USB dongle for $10 or less.

OTOH, I've tried the most common Linux distro on a ThinkPad last week, and I couldn't even install because of the installer crashing (no, before anyone asks, the integrity was checked and it was OK).

Well, you are pretty much stating the same thing in the inverse way: yes, it works on ThinkPad, but not everyone uses a ThinkPad or wants one.

> However, I've run OpenBSD on very cheap laptops also, with the only thing unsupported usually being the wifi. This is easily solvable by buying a cheap/supported USB dongle for $10 or less.

Are you saying that 10 USD is a show-stopper for you, or did you just not finish reading before you commented?

WiFi works fine on many non-ThinkPad laptops without any USB adapter, by the way. It's mostly Broadcom that causes issues.

As mentioned in TFA, running OpenBSD on mainstream, not-bleeding-edge PC laptops is pretty easy. I've been doing it with such machines (Dell, Compaq, ThinkPad, and most recently HP) for eight years. The last few years especially it has been easier to run OpenBSD than most Linux distros, actually. Hardly niche.

OpenBSD has been the most trouble-free laptop install choice I've ever had the pleasure to enjoy, and the smoothest upgrade experience without reinstalling as well (including upgrades of Windows, MacOS, and DOS).

You'd be surprised how many ThinkPads I see in use in coffee shops. By business people and college students, not even counting the developers.

There are a lot of ThinkPads in the wild.

I suppose it depends on your environment. In coffee shops and non-business-enterprise-y-buildings I mostly see cheap ass Acer, HP and Toshiba models for about 70% of the time, the remainder are Apple, Dell and the odd Surface.

I see more non-ThinkPads than ThinkPads, in coffee shops, in small consultancies, in startups, and in corp teams, but I see more ThinkPads than any other single brand except Macs, and I only see that many Macs because of all the hipster fullstack devs around me on a day to day basis.

We use a lot of new Thinkpad at work, it blows HP/Dell out of the water regarding getting stuff done. (Also great on-site support.)

Soon it's the only laptop model used.

Also I guess it works on the Yoga series which is a good contender to macbook pro for home usage :)

Also X1 Carbon and T4XX series, for light/small laptop types, to say nothing of other X-series ThinkPads. I found a guy on Twitter recently, Roman Zolotarev, who runs a small job board and documents OpenBSD installation, configuration, and so on, for X1 Carbons in excruciating detail -- and apparently the detail is well beyond the needs of the typical install because X1 Carbons are evidently very well supported. My own T4XX is also very well-supported, as are those of other people I know personally who bought ThinkPads in that series for use with FreeBSD and OpenBSD after hearing about my positive experience.

I think most of the enterprises/medium businesses I deal with don't even have contracts with Lenovo at all. Mostly just Dell and HP, and depending on the type of work a lot of Apple too.

My spouse's employer just decided to kill its Dell contract for laptops and go with ThinkPads because Dell's warranty service is so limited/shoddy, and the reason cited is actually a common story. There are more Lenovo enterprise contracts than you think, and those that still use Dell aren't measuring all the costs or are getting very, very special deals.

Writer spent ages on the window manager. XFCE is much easier : https://sohcahtoa.org.uk/openbsd.html

To be fair, I use cwm as well and the only configuration I made to it was changing the font.

I've not updated that page for the new release as yet. The first paragraph summarises the changes.

OA has an example of the new wifi autofind feature which I need to bottom out.

I am interested in moving from OSX to Linux.

However, my muscle memory have made it difficult to use ctrl + key versus command + key.

Is there an easy way (for example in Ubuntu?) to remap shortcuts so the copy and paste is command + C and command + V? Also, the ctrl + C should still stop processes in the terminal, so it's not as simple as swapping ctrl and command for all processes... This problem has been bugging me a lot with linux and I finding a solid solution would help a lot of OSX people switch to linux more easily.

the problem is with your previous operating system, not ours. I wish I could flip the mac laptop to not use that command key.

I swap the cmd and ctrl keys on mac all the time, it's in the GUI...

Apple Menu -> System Preferences -> Keyboard -> Modifier Keys

The only pain is when I'm in a terminal, the ctrl key is different. I use model-m style keyboards.

Why? It's much, much more comfortable once you get used to it.

doubtful. the command key does not need to exist. every other operating system gets along fine without it. apple is not even consistent either. as soon as you open up their terminal, you’re stuck in this bizarre land where you have to ctrl+c and cmd+c for different tasks. linux splits paste into either a mouse click or shift+insert to avoid all this.

> you’re stuck in this bizarre land where you have to ctrl+c and cmd+c for different tasks

Which I find quite reasonable, personally. If I want to copy text, it's Command-C everywhere in the system, even in the terminal–no Command-Shift-C or similar "hack". If I want to send a SIGINT to a program it's Control-C, as it should be.

On the contrary, other operating systems simply call it other names, such as "Windows" or "Super". It's all the one key to the USB HID protocol.

xmodmap for keys.

Most desktop environments allow remapping hotkey bindings and combos, though I strongly recomment sticking to defaults.

Well, except for ctrl-capslock swapping, of course.

This looks like a useful guide.

> If you're even a little paranoid, you should start by overwriting the disk with random data. We'll assume your hard disk is sd0—you can use dmesg to check. The c suffix is OpenBSD's way of specifying the entire disk.

   dd if=/dev/urandom of=/dev/rsd0c bs=1m
Can I check: why would you do this rather than using ATA SECURE ERASE command?

Having a blob of random data on my drive would mean crossing international borders is potentially unpleasant.

Does anyone know if OpenBSD can run properly on a Macbook?

MacBook G4 sure... newer ones may have problems. To new users/new hardware I would recommend an usb stick with the network installer and then try to install to the usb stick and check what is working.

Also check if you PC is listed here. https://dmesgd.nycbug.org/index.cgi?do=index&fts=apple

You are tempting me to pick up my 1 of 2 favorite laptops (or both) of ever that I owned: The 12 and 17 inch Aluminum Powerbook G4. Makes me wonder what kind of mods I can do to it now?

Just installed it on a late 2009 MacBook A1342 and everything works except the Broadcom Wi-Fi. Using an external Belkin stick supported by rum(4). Even the NVIDIA GeForce 9400m is functional both on the command line and in Xorg. The touchpad works out of the box with gestures and right-click and scrolling and the whole nine yards.

Newer Macs might be more challenging, with fancy proprietary chips and whatnot.

Be sure to enable apm(4) to not melt through your motherboard.

Runs great on my iBook G3. I know that isn't what you asked, but FWIW OpenBSD works on my old laptops.

Nice, but if you like click to focus and raise VM's you can try JWM, is great and with very few deps, almost NIL.

Amazing guide! You have a typo - a second ‘chown’ in mail setup section should be ‘chmod’

Thank you!

Some more: 1) .cwmrc has a parse error around chrome command - fixed by adding quotes around “chrome —enable-unveil”

2) I copied your fonts.conf exactly, and see “Fontconfig error, line 2: syntax error”. Can’t figure out yet what’s going on.

Thanks. I think the issue is DOCTYPE, here’s the real file that I use hosted on GitHub, haven’t had any problems with it.


I've fixed Fontconfig error by properly capitalizing DOCTYPE and SYSTEM and using double quotes:

<?xml version="1.0"?> <!DOCTYPE fontconfig SYSTEM "fonts.dtd">

"You won't find nearly as many online resources about setting up OpenBSD, because honestly, you really don't need any. "

That was the the last thing I wanted to read when wondering if openbsd will fit on my Ryzen machine.

You don't need a third party blog, it's in the documentation[1]: "All versions of the AMD Athlon 64 processors and their clones are supported."

The other drivers are the ones you need to worry about -- check the man pages, which list the supported hardware. For example: https://man.openbsd.org/radeon.4

The attitude isn't "You shouldn't need documentation". The attitude is "OpenBSD should ship with documentation good enough that nobody feels the need to write up the results of sleuthing around".


Thanks, I'll check that out.

Ryzen works great, and will likely improve over time. The Vega GPU that accompanies some models is unsupported, however, if you can get a slightly older AMD card things will be better on the graphics side, but this is only important if you care about some light gaming or desktop frills.

My OpenBSD Ryzen build:


A small detail, why do we still have to specify the blocksize (bs=1m) to dd. Can't it have a better default than 512 bytes.

In most cases, 128k is actually the optimal block size, and is (microscopically) faster than 1m. And also uses a tiny bit less ram.

Seems like a good default. I was expecting tons of comments telling me that it had to stay at .5 K for various arcane reasons.

I can't even imagine the suffering with broken shell scripts if the defaults change.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact